Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(#3281) Add validation for cache folder permissions #3282

Merged
merged 2 commits into from
Jul 25, 2023
Merged

(#3281) Add validation for cache folder permissions #3282

merged 2 commits into from
Jul 25, 2023

Conversation

AdmiringWorm
Copy link
Member

@AdmiringWorm AdmiringWorm commented Jul 25, 2023
edited
Loading

Description Of Changes

These changes introduces a new validation check to ensure that
the system cache folder that is used for storing NuGet responses
have been properly locked down to administrators.

When the directory exists, and allows modifications or creations of
files by normal user this will output a validation warning about steps
that can be taken to lock down the directory.

When the directory does not exist, this same validation check ensure
that the directory is created while only allowing Administrators to
modify, create or delete anything in the folder.

Motivation and Context

We should do what we can to prevent malicious users to make modifications to something that can have reporcussions for the user that is installing a package.

Testing

Elevated tests

  1. Create directory C:\ProgramData\ChocolateyHttpCache and delete any log files
  2. Run the command choco search vcredist140
  3. Validate the following warning is
    image
  4. Validate log file contains
    image
  5. Delete folder C:\ProgramData\ChocolateyHttpCache and log file
  6. Run choco search vcredist140
  7. Validate no warning is shown in console
  8. Validate log file contains
    image
  9. Delete log file again (Do not remove cache folder)
  10. Run choco search vcredist140 again
  11. Validate no warning is shown in console
  12. Validate log file contains image
    image

Non-Elevated tests

  1. Create directory C:\Users\<USERNAME>\.chocolatey\http-cache and recreate folder C:\ProgramData\ChocolateyHttpCache
  2. Run the command choco search vcredist140 —debug
  3. Validate no warning is shown
  4. Validate console output contains image
    image
  5. Delete Folder C:\Users\<USERNAME>\.chocolatey\http-cache
  6. Replay steps 2-4
  7. Replay again steps 2-4

Operating Systems Testing

  • Windows Server 2022

Change Types Made

  • Bug fix (non-breaking change).
  • Feature / Enhancement (non-breaking change).
  • Breaking change (fix or feature that could cause existing functionality to change).
  • Documentation changes.
  • PowerShell code changes.

Change Checklist

  • Requires a change to the documentation.
  • Documentation has been updated.
  • Tests to cover my changes, have been added.
  • All new and existing tests passed?
  • PowerShell code changes: PowerShell v2 compatibility checked?

Related Issue

Fixes #3281

@AdmiringWorm AdmiringWorm self-assigned this Jul 25, 2023
@AdmiringWorm AdmiringWorm requested a review from gep13 July 25, 2023 09:44
@AdmiringWorm @gep13
(chocolatey#3281) Add validation for cache folder permissions
583d149 
These changes introduces a new validation check to ensure that
the system cache folder that is used for storing NuGet responses
have been properly locked down to administrators.

When the directory exists, and allows modifications or creations of
files by normal user this will output a validation warning about steps
that can be taken to lock down the directory.

When the directory does not exist, this same validation check ensure
that the directory is created while only allowing Administrators to
modify, create or delete anything in the folder.
@AdmiringWorm @gep13
(maint) Add helper to split on max line lengths
2217d63 
These changes introduces a new string helper that ensures
that each line in the output will not be any longer than the
configured maximum line length. And attempt to split these
lines at the last available non-letter and non-digit before the
length limitation.
@gep13 gep13 force-pushed the http-cache-locked branch from a143527 to 2217d63 Compare July 25, 2023 09:52
gep13
gep13 approved these changes Jul 25, 2023
View reviewed changes
Copy link
Member

@gep13 gep13 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@gep13 gep13 merged commit ca3080f into chocolatey:develop Jul 25, 2023
@gep13
Copy link
Member

gep13 commented Jul 25, 2023

@AdmiringWorm this is a great addition! Thank you for getting this done!

@AdmiringWorm AdmiringWorm deleted the http-cache-locked branch September 25, 2023 12:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gep13 gep13 gep13 approved these changes

Assignees

@AdmiringWorm AdmiringWorm

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Ensure that only Administrators are able to modify files that are stored within the ChocolateyHttpCache folder
2 participants
@AdmiringWorm @gep13